Movatterモバイル変換

[0]ホーム
URL:

EP1742152B1 - Method and system for a multi-sharing memory access control - Google Patents

Method and system for a multi-sharing memory access controlDownload PDF

Info

Publication number
EP1742152B1
EP1742152B1EP05291479AEP05291479AEP1742152B1EP 1742152 B1EP1742152 B1EP 1742152B1EP 05291479 AEP05291479 AEP 05291479AEP 05291479 AEP05291479 AEP 05291479AEP 1742152 B1EP1742152 B1EP 1742152B1
Authority
EP
European Patent Office
Prior art keywords
access
memory
security
region
memory protection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
EP05291479A
Other languages
German (de)
French (fr)
Other versions
EP1742152A1 (en
Inventor
Gregory R. Conti
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Texas Instruments France SAS
Texas Instruments Inc
Original Assignee
Texas Instruments France SAS
Texas Instruments Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Texas Instruments France SAS, Texas Instruments IncfiledCriticalTexas Instruments France SAS
Priority to EP05291479ApriorityCriticalpatent/EP1742152B1/en
Priority to US11/272,532prioritypatent/US7853997B2/en
Priority to PCT/US2006/026344prioritypatent/WO2007008595A2/en
Publication of EP1742152A1publicationCriticalpatent/EP1742152A1/en
Application grantedgrantedCritical
Publication of EP1742152B1publicationCriticalpatent/EP1742152B1/en
Anticipated expirationlegal-statusCritical
Ceasedlegal-statusCriticalCurrent

Links

Images

Classifications

Definitions

Landscapes

Description

    BACKGROUND
  • Mobile electronic devices such as personal digital assistants (PDAs) and digital cellular telephones are increasingly used for electronic commerce (e-commerce) and mobile commerce (m-commerce). Programs that execute on the mobile devices to implement e-commerce and/or m-commerce functionality may need to operate in a secure mode to reduce the likelihood of attacks by malicious programs (e.g., virus programs) and to protect sensitive data.
  • For security reasons, at least some processors provide two levels of operating privilege: a first level of privilege for user programs; and a higher level of privilege for use by the operating system. However, the higher level of privilege may or may not provide adequate security for m-commerce and e-commerce, given that this higher level relies on proper operation of operating systems with highly publicized vulnerabilities. In order to address security concerns, some mobile equipment manufacturers implement yet another third level of privilege, or secure mode, that places less reliance on corruptible operating System programs and more reliance on hardware-based monitoring and control of the secure mode. An example of one such system may be found inU.S. Patent Publication No. 2003/0140245, entitled "Secure Mode for Processors Supporting MMU and Interrupts."
  • In addition to this secure mode, various hardware-implemented security firewalls and other security monitoring components have been added to the processing systems used in mobile electronic devices to further reduce the vulnerability to attacks. Examples of these security improvements may be found inU.SPatent Applications 10/961,756, entitled "System and Method for Secure Mode for Processors and Memories on Multiple Semiconductor Dies Within a Single Semiconductor Package," 10/961,755, entitled "Method and System of Ensuring Integrity of a Secure Mode Entry Sequence," 10/961,344, entitled "System and Method of Identifying and Preventing Security Violations Within a Computing System," 10/961,748, entitled "Method and System of Verifying Proper Execution of a Secure Mode Entry Sequence," and European Patent ApplicationEP 04292405.0, entitled "Method and System for Detecting a Security Violation Using an Error Correction Code," all of which are hereby incorporated by reference.
    In some implementations, one or more hardware-implemented security firewalls block or allow access to a system component in a mobile electronic device by another component (or by software executing on that component) depending on a set of rules. These rules establish relationships between pairs of components (i.e., system initiators and system targets) and the mode of operation (e.g., secure or non-secure). Such rules may be implemented either in hardware or software in the form of a permission table, wherein the component attempting access is crossed-referenced to an address range of the component to which access is desired. If the component requesting access does not have the appropriate access rights for the requested operation and for the current mode of operation, the firewall signals a security violation and the access is blocked.
  • For example, United States Patent Application No.2003/018860 describes a method and apparatus for operating a digital system having several processors and peripheral devices connected to a shared memory subsystem. Two or more of the processors execute separate operating systems. In order to control access to shared resources, a set of address space regions within an address space of the memory subsystem is defined within system protection map (SPM) Resource access rights are assigned to at least a portion of the set of regions to,indicate which initiator resource is allowed to access each region. Using the address provided with the access request, the region being accessed by a memory access request is identified by the SPM. During each access request, the SPM identifies the source of the request using a resource identification value provided with each access request and then a determination is made of whether the resource accessing the identified region has access rights for the identified region. Access to the identified region is allowed to an initiator resource only if the resource has access rights to the identified region; otherwise an error process is initiated.
  • While these security firewall implementations help reduce the vulnerability of a mobile electric device to attacks, they have limitations that need to be addressed.
    • SUMMARY
  • The invention resides in a method for controlling access to a target memory of a system and a memory security firewall apparatus as set out in the accompanying claims
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • For a detailed description of exemplary embodiments of the invention, reference will now be made to the accompanying drawings in which:
    • Figure 1 shows a system in accordance with one or more embodiments.
    • Figures 2A - 2C show a multi-sharing memory security firewall subsystem in accordance with one or more embodiments.
    • Figures 3,4,5A,5B,6, 7, and8 show pseudo code illustrating the operation of portions of a multi-sharing memory security firewall subsystem in accordance with one or more embodiments.
    • Figure 9 shows a flow chart of a method in accordance with one or more embodiments.
    NOTATION AND NOMENCLATURE
  • Certain terms are used throughout the following description and claims to refer to particular system components. As one skilled in the art will appreciate, companies may refer to a component by different names. This document does not intend to distinguish between components that differ in name but not function. In the following discussion and in the claims, the terms "including" and "comprising" are used in an open-ended fashion, and thus should be interpreted to mean "including, but not limited to...." Also, the term "couple" or "couples" is intended to mean either an indirect or direct electrical connection. Thus, if a first device couples to a second device, that connection may be through a direct electrical connection, or through an indirect electrical connection via other devices and connections.
    • DETAILED DESCRIPTION
  • The following discussion is directed to various embodiments of the invention. Although one or more of these embodiments may be preferred, the embodiments disclosed should not be interpreted, or otherwise used, as limiting the scope of the disclosure, including the claims. In addition, one skilled in the art will understand that the following description has broad application, and the discussion of any embodiment is meant only to be exemplary of that embodiment, and not intended to intimate that the scope of the disclosure, including the claims, is limited to that embodiment.
    Inasmuch as the systems and methods described herein were developed in the context of a mobile computing system, the description herein is based on a mobile computing environment. However, the discussion of the various systems and methods in relation to a mobile computing environment should not be construed as a limitation as to the applicability of the systems and methods described herein to only mobile computing environments. One of ordinary skill in the art will appreciate that these systems and methods may also be implemented in other computing environments such as desktop computers, laptop computers, network servers, and mainframe computers.
  • Figure 1 shows asystem 100 constructed in accordance with one or more embodiments of the invention. In accordance with at least some embodiments, thesystem 100 may be a mobile device such as a cellular telephone, personal digital assistant (PDA), text messaging system, and/or a device that combines the functionality of a messaging system, personal digital assistant and a cellular telephone.
  • Thesystem 100 includes a multiprocessing unit (MPU) 104 coupled to various other system components by way of data and instruction busses and security firewalls (e.g.,L3 interconnect 116, and L4 interconnect 130). The MPU 104 includes a processor core (core) 110 that executes programs. In some embodiments, thecore 110 has a pipelined architecture. The MPU 104 further includes a core security controller (CSC) 112, which aids the MPU 104 in entering a secure mode for execution of secure programs on thecore 110. The core security controller 112 may also monitor operation during secure mode to ensure secure operation, and during non-secure mode to prevent access to secure components of thesystem 100.
  • Thecore 110 may be any processor suitable for integration into a system on a chip (SoC), such as the ARM 1136 series of processors. In other embodiments, thecore 110 may be a processor that includes some or all of the functionality of the core security controller 112 as described herein, such as the ARM 1176 series of processors. The ARM 1136 and 1176 technology may be obtained from ARM Holdings plc of Cambridge, United Kingdom, and/or ARM, Inc. of Austin, Texas, USA.
  • Thesystem 100 also includes a digital signal processor (DSP) 106 coupled to the MPU 104 by way of theL3 interconnect 116. The DSP 106 aids the MPU 104 by performing task-specific computations, such as graphics manipulation and speech processing. The DSP 106 may have its own core and its own core security controller (not specifically shown). A graphics accelerator (GFX) 108 may also couple both to the MPU 104 and the DSP 106 by way of theL3 interconnect 116. Thegraphics accelerator 108 performs necessary computations and translations of information to allow display of information, such as ondisplay device 142. Thegraphics accelerator 108, like the MPU 104 and the DSP 106, may have its own core and its own core security controller (not specifically shown). As with the MPU 104, both the DSP 106 and thegraphics accelerator 108 may each independently enter a secure mode to execute secure programs on their respective cores.
  • Thesystem 100 also includes a direct memory access controller (DMA CTLR) 122 coupled to on-chip RAM 118, on-chip ROM 120,external memory 146, and stackedmemory 148 by way of theL3 interconnect 116. The directmemory access controller 122 controls access to and from the on-chip memory and the external memory by any of the other system components such as, for example, the MPU 104, the DSP 106 and thegraphics accelerator 108. The memory components may be any suitable memory, such as synchronous RAM, RAMBUS™-type RAM, programmable ROMs (PROMs), erasable programmable ROMs (EPROMs), and electrically erasable programmable ROMs (EEPROMs). Thestacked memory 148 may be any suitable memory that is integrated within the same semiconductor package as system-on-a-chip (SoC) 102, but on a semiconductor die separate from the semiconductor die of the system-on-a-chip 102.
  • Thesystem 100 also includes various interfaces and components coupled to the various subsystems of theSoC 102 by way of theL4 interconnect 130. The interfaces include a USB interface (USB I/F) 124 that allows thesystem 100 to couple to and communicate with external devices, a camera interface (CAM I/F) 126 which enables camera functionality for capturing digital images, and a user interface (User I/F) 140A, such as a keyboard, keypad, or touch panel, through which a user may input data and/or messages. The components include amodem chipset 138 coupled to anexternal antenna 146, a global positioning system (GPS)circuit 128 likewise coupled to anexternal antenna 144, and apower management unit 134 controlling abattery 132 that provides power to the various components of thesystem 100.
  • Many of the components illustrated infigure 1, while also available as individual integrated circuits, may be integrated or constructed onto a single semiconductor die. Thus, the MPU 104,digital signal processor 106,memory controller 122, along with some or all of the remaining components, may be integrated onto a single die, and thus may be integrated into thesystem 100 as a single packaged component. Having multiple devices integrated onto a single die, especially devices comprising an MPU 104 and on-chip memory (e.g., on-chip RAM 118 and on-chip ROM 120), is generally referred to as a system-on-a-chip (SoC) 102 or a megacell. While using a system-on-a-chip may be preferred, obtaining the benefits of the systems and methods as described herein does not require the use of a system-on-a-chip.
  • Each of the core security controllers (e.g., core security controller 112) is implemented as a hardware-based state machine that monitors system parameters of each of the respective processor cores (e.g., core 110). A core security controller allows the secure mode of operation to initiate such that a processor may execute secure programs from secure memory (e.g., from a secure address range of the on-chip memory) and access secure resources (e.g., control registers for secure channels of the direct memory access controller 122). For more detailed description of embodiments of a core security controller, including the secure mode of operation, the signals that may be monitored to make the decision as to whether to enter the secure mode, and a state diagram for operation, reference may be had to United States Patent Application Publication No.2003/0140245A1, published July 24, 2003, which is assigned to the same Assignee as the present specification, and which is incorporated by reference herein as if reproduced in full below.
  • TheL3 interconnect 116 and theL4 interconnect 130 of thesystem 100 each include busses linking the various components of thesystem 100 and security firewalls (e.g., memory security firewalls 150-156 and L4 security firewall 158) that provide additional protection beyond the protection provided by the core security controllers. The security firewalls provide isolation between components of thesystem 100 that are capable of operating at different security levels. The security firewalls are integrated into the busses linking the various components of thesystem 100 to provide control over request/response mechanisms within the busses. Such request/response mechanisms allow components requesting access (i.e., initiators) to access other components, (i.e., targets) only if access is allowed by the security firewall integrated into the bus coupling the components. Thus, for example, the directmemory access controller 122 may request access to thestacked memory 148, but will only be granted access by thememory security firewall 152 integrated into theL3 interconnect 116 if access does not violate a security constraint (i.e., has the appropriate access attributes as defined in the memory security firewall). Or, if an attempt is made by a USB device coupled to theUSB port 124 to access a secure address range of the on-chip RAM 118, theL4 security firewall 158 may deny access.
  • As is further explained below in reference tofigures 2A - 2C, in accordance with at least some embodiments, the memory security firewalls 150-156 may be implemented using digital hardware. Such hardware utilizes initiator and target identification information and access attributes placed on the bus portion of theL3 interconnect 116 as input. In some embodiments, these access attributes include a security level attribute indicating whether the access is public or secure, a mode attribute indicating whether the access is made in functional or debug mode, a privilege attribute indicted whether the access is made in user or supervisor mode, a data/opcode attribute indicating whether the access is a data transfer or an opcode fetch, and a read/write attribute indicating whether the access is a read request or a write request. Logic within a memory security firewall uses the identification information and the access attributes to determine whether or not access to the target by the initiator is granted.
  • Each of the memory security firewalls 150-156 allows the target memory space it protects to be split into multiple shared memory protection regions. In some embodiments, the size of the memory space allocated to each memory protection region must be in multiples of 64K bytes and the start and end address of each memory space must be aligned on 64K byte boundaries. In other embodiments, the size of each memory protection region may be any power of 2 bytes (e.g., 2Kbytes, 4Kbytes, 16Kbytes, etc.)
  • Each of the memory protection regions may be shared by two groups of initiators, which may be defined for each protection region. That is, each memory protection region has associated with it two groups of initiators that share access to the region. Further, each of the initiator groups of a protection region may have its own set of access permissions. Therefore, a memory security firewall will only allow access to a memory protection region in the target memory space the firewall protects if the initiator of the access is included in one of the two initiator groups defined for the protection region, and the access request is accompanied by a combination of access attributes or permissions that corresponds to a combination included in the set of access permissions of the initiator group that includes the initiator. If the access attempt does not meet all of these criteria, the access request is blocked and a security violation response may be executed.
  • In some embodiments, the memory protection regions may be defined to overlap, thus requiring an approach for deciding which access permissions should be used to determine if an access request is to be allowed when the address of an access request is in an overlapped area. In such embodiments, each memory protection region is assigned a security priority level. When the address of an access request falls within an overlapped area of the target memory space, the memory security firewall uses the access permissions of the region including the overlapped area that has the highest priority. If the overlapping regions have the same security priority level, the access is blocked and a security violation response may be executed.
  • The security firewalls, the core security controllers (e.g., core security controller 112), and theattack indicator 144 each couple to thesecurity controller 114. Thesecurity controller 114 acts as a hub for the detection of security violations, receiving security violation signals from the core security controllers and the firewalls. If thesecurity controller 114 receives a security violation signal, it may respond by alerting the user that a violation has been detected, such as by activating theattack indicator 144, by causing one or more core security controllers (e.g., core security controller 112) to initiate one or more security response sequences (described below), such as blocking the current access from reaching the target memory or target component, and/or by logging the source of the security violation. Theattack indicator 144 may be a visible or audible (or both) indicator such as an LED or a buzzer.
  • The response of thesecurity controller 114 is determined based on pre-selected options set when thesystem 100 is booted and/or on the source of the security violation signal (e.g., a firewall). For example, if a firewall has already blocked an attempted illegal access, thesecurity controller 114 may simply log the fact that the security violation occurred as no further action is needed. Exemplary embodiments of computer systems including a security controller, firewalls, and core security controllers are provided inUS Patent Application 10/961,344, entitled "System and Method of Identifying and Preventing Security Violations within a Computing System" which is hereby incorporated by reference.
  • The core security controller 112 may initiate one or more security response sequences when notified by thesecurity controller 114 that a security violation has occurred. The available security response sequences include blocking or stopping execution of the violating operation, blocking future execution of the offending program (e.g., by deleting the program from the system 100), resetting thecore 110, or notifying thecore 110 to enter debug mode.
  • To block or stop execution of the violating operation, the core security controller 112 may abort an instruction presented to thecore 110 by asserting a native processor hardware-based abort (e.g., a pre-fetch abort). The hardware-based abort prevents the offending instruction from executing and also may flush prefetch units, internal instruction and/or data prediction mechanisms, and pipeline stages of the core 110 that may contain additional program instructions that are part of a violation or attack. Such a flush causes the context of a malicious program to be cleared, which terminates execution of the program. Because the abort is hardware-based and not vulnerable to control or interference by software, a malicious program may have great difficulty intercepting or bypassing a security response sequence thus implemented.
  • To block future execution of the offending program, the core security controller 112 may generate an interrupt to thecore 110 to trigger an interrupt service routine that launches one or more software programs (e.g., anti-virus software) that can identify the source of the malicious program and prevent future execution of the program (e.g. by deleting the source from the system 100). In some embodiments of the invention, a high-performance, high-priority processor interrupt may be used (e.g., the FIQ interrupt of the ARM 1136 or 1176 series processor) to trigger an interrupt service routine. This interrupt may also be implemented in the system such that the system will automatically enter secure mode before entering the interrupt service routine, thus guaranteeing that the interrupt service routine is protected from a software attack initiated in public mode (e.g., the secure FIQ of the ARM 1176 series processor).
  • To reset thecore 110, the core security controller 112 causes a processor or warm reset signal to be sent to thecore 110. To notify thecore 110 to enter debug mode, the core security controller 112 causes a signal to be sent to thecore 110 that causes thecore 110 operate in a debug state.
  • Figures 2A-2C show a memory security firewall 200 (e.g., memory security firewalls 150-156 offigure 1) in greater detail. Thememory security firewall 200 allows the target memory space it is protecting (e.g., one of thememories 118, 120, 146, and 148 offigure 1) to be split into multiple memory protection regions. The embodiments of these figures are illustrated and described assuming seven definable memory protection regions, one default memory protection region, and six security priority levels. These embodiments are also illustrated and described with the assumption that theL3 interconnect 116 offigure 1 implements the Open Core Protocol (OCP), an openly licensed, core-centric protocol for system-level integration. The OCP defines a comprehensive, bus-independent, high-performance, configurable interface between processor cores and on-chip subsystems. Additional information about OCP may be found on the OCP website, www.ocp-ip.org. However, these assumptions should not be construed as limitations. One of ordinary skill in the art will appreciate other embodiments that may include fewer or more regions and/or priorities, and the use of other interface protocols.
  • The initiator and target identification information and the access attributes associated with a memory access request that are utilized by thememory security firewall 200 are provided by several OCP parameters including MConnId, MCmd, MAddr, and MReqInfo. MConnId contains a predetermined initiator id that uniquely identifies the initiator of a memory access request. MAddr contains the target address of the memory access request. MCmd indicates whether the memory access request is a read request or a write request. MReqInfo contains additional attributes associated with the memory access request, MReqSecure, MReqDebug, MReqSupervisor, and MRegType. Table 1 shows the definitions of these additional attributes.Table I
    Attribute NameConfigurationDefinition
    MReqType
    00 CPU data accessThis attribute, when present, indicates if the access request is a processor instruction fetch, a processor data access, or aDMA access
    01CPU instruction access
    10DMA access
    11Other
    MReqSupervisor
    0 User mode transactionThis attribute, when set, indicates that the access request is made in supervisor mode. It can be provided by a processor running in supervisor mode, or by a master module that inherited the attribute from a processor (e.g., a DMA channel with a supervisor mode)
    1 Supervisormode transaction
    MReqDebug
    0 Application accessThis attribute, when set, is used to differentiate a regular access from a processor from an access issued by processor emulation logic.
    1Emulator access
    MReqSecure
    0 Normal transactionThis attribute, when set, indicates that the access request is made by a processor in secure mode or by a master module that inherited the attribute from a processor (e.g., a DMA channel with a secure mode)
    1 Secure transaction
  • Thememory security firewall 200 includesregion configuration logic 264,region selection logic 266 coupled to theregion configuration logic 264, andaccess validation logic 268 coupled to theregion selection logic 266 and thesecurity controller 114. Theregion configuration logic 264 includes the region address registers 212 and the region settings registers 214. Theregion configuration logic 264 also includes components for managing the priorities and locks of the memory protection regions including a priority/lockingregister 218 andpriority handler logic 216 coupled to the priority/lockingregister 218. Theregion selection logic 266 includesregion finder logic 220 coupled to the region address registers 212,priority checker logic 224 coupled to theregion finder logic 220 and thepriority handler logic 216, andregion MUX logic 226 coupled to the region settings registers 214 and thepriority checker logic 224. Theaccess validation logic 268 includes groupencoding lookup logic 228, attributeslookup logic 230, andpermission checker logic 232. Thepermissions checker logic 232 is coupled to theregion MUX logic 226, the groupencoding lookup logic 228, and theattributes lookup logic 230. Thepriority checker logic 224 and thepermissions checker logic 232 are coupled to the error log registers 244. Thepermissions checker logic 232 is also coupled to thesecurity controller 114.
  • The error log registers 244 include two registers, a functional error log register and a debug error log register, that record information regarding a memory access security violation detected by thememory security firewall 200. If system initiator initiating a memory access request is in debug mode and a memory access security violation is detected, the information is recorded in the debug error log register. Otherwise, the security violation information is recorded in the functional error log register. Each of the error log registers contains the fields shown in Table II.Table II
    Register FieldNameContents
    CMD [2:0]The OCP command code (MCmd) of the memory access request causing the memory access security violation
    REGION [7:4]The region number of the memory protection region where the memory access security violation was detected
    INITIATOR_ID [13:8]The id of the system initiator (MConnId) initiating the memory access request that resulted in the memory access security violation
    REQ_INFO [21:16]The MReqInfo attributes (MReqSecure, MReqDebug, MReqSupervisor, and MRegType) of the memory access request causing the memory access security violation
    CODE [27:24]Bits indicting whether or not a memory access security violation has occurred
    OVERLAP_ERR [28]Bit indicating if the memory access security violation is due to a region overlap violation
    GROUP_ERROR [29]Bit indicating if the memory access security violation is due to the system initiator initiating the memory access request being defined in both initiator groups of the memory protection region
    MULT [30]Bit indicating if a second memory access security violation is detected before the first is cleared
  • The region address registers 212 include seven register pairs, each pair representing a definable memory protection region. Each register pair holds the start and end address of the represented region. In addition, any memory space of the target memory that is not included in a defined memory protection region is included a default memory protection region. The default memory protection region may be designated asregion 0 and the defined memory protection regions may be designated as regions 1-7.
  • The region setting registers 214 include two region attribute registers and two initiator group registers for each memory protection region, including the default memory protection region. Each initiator group register pair defines the two groups of initiators that are allowed to share access to the memory protection region represented by the register pair. Each bit in an initiator group register represents one system initiator. When the bit in an initiator group register representing a given system initiator is set to one, that system initiator is included in the initiator group represented by the initiator group register. If the bit is set to zero, that system initiator is not included in the initiator group. A system initiator may be included in only one of the two initiator groups defined for a memory protection region. In some embodiments, if a system initiator is included in both initiator groups defined for a memory protection region and that system initiator attempts to access the region, the memory access is blocked and a security violation response is executed.
  • In at least one embodiment, there may be up to sixteen system initiators, each with a predetermined initiator id 0-15. Each initiator group register includes sixteen bits, one for each of the sixteen system initiators that may be included in the initiator group represented by that register. The bit in the register that represents a given system initiator is determined by the predetermined initiator id of that system initiator. For example, if theprocessing core 110 offigure 1 has a predetermined initiator id of 0,bit 0 of each initiator group register represents theprocessing core 110. Ifbit 0 is set to one, then theprocessing core 110 is included in the initiator group represented by the register. And, if theUSB 124 has a predetermined initiator id of 11,bit 11 of each initiator group register represents theUSB 124.
  • Each region attribute register pair encodes the allowed access attribute combinations for the two initiator groups defined for a memory protection region. Each bit in a region attribute register corresponds to a particular combination of access attributes. If the bit is set to 1, a system initiator included in an initiator group defined for a memory protection region is allowed to access the region if it presents the combination of access attributes represented by that bit. Table 3 shows the possible access attribute combinations and the bit in a region attribute register that represents each attribute combination in accordance with some embodiments.Table III
    Security
    0Public 1SecureDebug 0 Functional 1DebugPrivilege 0User 1 SupervisorData/Opcode 0Data transfer 1 Opcode fetchRead/Write 0 Read Allowed 1 Write AllowedRegisterBit
    000000
    000011
    000102
    000113
    001004
    001015
    001106
    001117
    010008
    010019
    0101010
    0101111
    0110012
    0110113
    0111014
    0111115
    1000016
    1000117
    1001018
    1001119
    1010020
    1010121
    1011022
    1011123
    1100024
    1100125
    1101026
    1101127
    1110028
    1110129
    1111030
    1111131
  • In various embodiments, the memory protection regions have priority levels that are managed by thememory security firewall 200. The priority levels of the regions may be read using theregister access interface 234 but may be set/changed only by thememory security firewall 200. The registers defining the memory protection regions, the region address registers 212 and the region settings registers 214, may also be locked once they have been programmed as an additional level of security. Once these registers are programmed and locked, they may only be reprogrammed by a secure access until a hard reset of thesystem 100 occurs (e.g., thesystem 100 is turned off and back on again). Also, when the registers are locked, thememory security firewall 200 automatically raises the priority of that memory protection region to forestall potential corruption by a public access to another memory protection region that overlaps it.
  • The priority/lock register 218 contains the security priority level and lock status of each memory protection region. The security priority level and lock status of each memory protection region is represented with four consecutive bits, one bit for the lock status (on/off) and three bits for the security priority level.
  • Thememory security firewall 200 implements six security priority levels designatedlevel 0 tolevel 5, withlevel 0 being the lowest priority. The default memory protection region,region 0, has a default security priority level of 0. The protection region designated asregion 1 has a default security priority level of 2 when programmed and unlocked. The security priority level ofregion 1 is automatically changed to 3 when the region is locked by a public access and to 5 when the region is locked by a secure access. The remaining protection regions, regions 2-7, have a default security priority level of 1 when programmed and unlocked. The security priority levels of these regions are automatically changed to 3 when locked by a public access and to 4 when locked by a secure access.
  • Theregion address register 212, the region settings registers 214, and the lock bits of the priority/lockingregister 218 may be programmed through theregister access interface 234. Memory protection region configuration software may be executed on core 112 to configure memory protection regions in thememory security firewall 200. In some embodiments, to define a memory protection region, the configuration software first defines the members of the two initiator groups that will share access to the memory protection region and the access attributes that must be presented. Such definitions are accomplished by setting the appropriate bits in the region attribute register pair and the initiator group register pair of the region settings registers 214 for the memory protection region to be configured. The configuration software then defines the boundaries of the memory protection region by placing the start and end addresses of the memory range to be protected in the register pair of the region address registers 212 representing the memory protection region. Once the register pair of the regions address registers 212 is programmed, the firewall is activated for that memory protection region. The default security priority level of the newly configured memory protection region is automatically set in the appropriate field of the priority/lockingregister 218 by thememory security firewall 200. The configuration software may then optionally lock these newly programmed registers by turning on the appropriate lock bit in the priority/lockingregister 218. If the lock bit is turned on, thememory security firewall 200 will then automatically raise the security priority level of the newly programmed memory protection region.
  • For example, ifmemory protection region 2 is to be configured, the configuration software defines which of the system initiators may accessregion 2 by setting the bits representing those system initiators in one of the two initiator group registers ofregion 2. The configuration software also defines the permissible access attribute combinations that may be presented by system initiators included in each of the two initiator groups by setting the bits representing the allowable combinations in the region attribute registers forregion 2. Once the initiator group registers and the region attribute registers are programmed, the configuration software then activates the firewall protection forregion 2 by placing the start and end addresses of the memory range to be protected asregion 2 in the region address registersdefining region 2. Thememory security firewall 200 sets the priority bits forregion 2 in the priority/lockingregisters 218 to 1, the default security priority level forregion 2. If the configuration software is executing in public mode and locks theregion 2 registers by setting theregion 2 lock bit in the priority/lockingregister 218, thememory security firewall 200 automatically sets theregion 2 priority bits to 3. If the configuration software is executing in secure mode and locks theregion 2 registers by setting theregion 2 lock bit in the priority/lockingregister 218, thememory security firewall 200 automatically sets theregion 2 priority bits to 4.
  • Thememory security firewall 200 provides for dynamic configuration of the memory protection regions. That is, memory protection regions may be initially configured or reconfigured at any time while thesystem 100 is active. The permissible security priority levels ofregion 1 are defined such thatregion 1 may be configured to protect any of the other active memory protection regions, i.e. regions 2-7, while one of these regions is being reconfigured. For example, assume thatmemory protection region 2 is active and has been locked by the configuration software operating in secure mode so the security priority level of the region is 4. If the need arises to increase the size of the memory space for the region, the configuration software may configureregion 1 such that it overlays the memory space currently defined asregion 2 and the memory space to be added toregion 2. The configuration software may also configure the region attribute registers and the initiator group registers ofregion 1 to duplicate those ofregion 2. The configuration software may then lockregion 1 in secure mode, thus raising the security priority level ofregion 1 tosecurity priority level 5. Onceregion 1 is activated, all memory access requests toregion 2 and the memory space to be added toregion 2 are handled asregion 1 access requests because ofregion 1 has the highest security priority level. The configuration software may then deactivate and reconfigureregion 2 and the memory space will be protected during the reconfiguration process. Once theregion 2 registers have been reconfigured andregion 2 is again activated,region 1 may be deactivated.
  • Figure 2B shows the portion of thememory security firewall 200 that handles locking, region priority, and region selection in greater detail.Figures 3,4,5A and5B contain pseudo code illustrating the operation of theregion finder logic 220, thepriority handler 216, and thepriority checker 224, respectively. In this pseudo code, R0 - R7 are identifiers for the memory protection regions. Start_Rx and End_Rx are identifiers for the register pair of the region address registers 212 that contain the start and end addresses of memory protection region x. When used in reference to the priority table 236, P0 - P5 are identifiers for memory security priority levels. When used in reference to the priority/lockingregister 218, P0 - P7 are identifiers for the memory security priority level of the correspondingly numbered memory protection region. Ptable is the identifier for the priority table 236. L_Rx is the identifier for the lock status of memory protection region x in the priority/lockingregister 218. MAddr identifies the target address of an access request and MSecure is an identifier indicating whether the current execution mode is public or secure.
  • Theregion finder logic 220 accepts as input the address of a target memory access request, MAddr. As is illustrated in the pseudo code offigure 3, the region finder logic compares this address to the start and end addresses of each memory protection region to determine which of these memory protection regions includes the address. Because memory protection regions may overlap, the address may be included in more than region. The region finder logic passes seven values, M_Rx, to thepriority checker logic 224. If the address is included in memory protection region x, the value of M_Rx is set to x. If the address is not included in memory protection region x, the value of M_Rx is set to 0.
  • Thepriority handler logic 216 manages the security priority levels of the memory protection regions. As part of this priority management function, thepriority handler logic 216 sets the priority fields of the priority/lockingregister 218 and maintains a priority table 236 that is used by thepriority logic 224. The priority table 236 includes an entry for each possible combination of region and priority. This entry will be 1 if a region has the associated security priority level and will be 0 otherwise. For example, ifregion 1 hassecurity priority level 2, the entry in the priority table 236 corresponding to P2 and R1 is 1. All other entries in the priority table 236 corresponding to R1 are 0.
  • When thesystem 100 is initialized or otherwise reset, thepriority handler logic 216 initializes the priority fields of the priority/lockingregister 218 and the entries of the priority table 236 to correspond to the default priority levels of the memory protection regions. As was previously discussed,region 0 has a default security priority level of 0,region 1 has a default security priority level of 2, and regions 2-7 have a default security priority level of 1. While thesystem 100 is operating, thepriority handler logic 216 automatically changes the security priority level of the definable memory protection regions, regions 1-7, responsive to changes in the locking status of those regions. Ifregion 1 is locked by a public access, thepriority handler logic 216 raises the security priority level of the region to 3. Ifregion 1 is locked by a secure access, thepriority handler logic 216 raises the security priority level of the region to 5. If regions 2-7 are locked by a public access, thepriority handler logic 216 raises the security priority level of these regions to 3. If regions 2-7 are locked by a secure access, thepriority handler logic 216 raises the security priority level of these regions to 4. In executing these priority changes, thepriority handler 216 updates the appropriate priority field in the priority/lockingregister 218 and makes any needed changes to the priority table 236. The pseudo code ofFigure 4 illustrates the operation of thepriority handler logic 216.
  • Thepriority checker logic 224 selects the memory protection region to be used for verifying access permissions when an address is included in more than one protection region. When an address is included in more than one memory protection region, thepriority checker logic 224 selects the region with the highest priority. If, during the process of identifying the region with the highest priority, thepriority checker logic 224 determines that the overlapping regions including an address have the same priority, anoverlap security violation 254 is detected. Theoverlap security violation 254 is logged in the error log registers 244 and the output of thepriority checker logic 224,Rout_Mux 246, is set to cause thepermissions checker logic 232 to indicate a memory access security violation. If nooverlap security violation 254 is detected,Rout_Mux 246 is set to a four bit value corresponding to the number of the selected region.
  • Referring now to the pseudo code shown infigures 5A and5B, thepriority checker logic 224 first checks for an overlap security violation 254 (lines 1-17). The sum of the entries in the priority table 236 for each priority level for each M_Rx value passed by theregion finder logic 220 is calculated (lines 1-5). Recall that an M_Rx value is the number of a region if the address was included in the region and is 0 otherwise. Also note that the entries that are selected when an M_Rx value is 0 correspond toregion 0, which always has a security priority level of 0. Once the sums of the priority levels are calculated, a check is made for an overlap security violation 254 (lines 11-16). An overlapsecurity violation 254 is indicated under the following circumstances: (1) if the sum of therelevant priority level 5 entries is greater than 1, denoting that at least two regions contain the address and have a priority level of 5; or, (2) for each of the priority levels 1-4, if the sum of the entries for each priority level higher than the one under consideration is 0 and the sum of the priority level entries for the priority level under consideration is greater than 1. The output of this overlap checking process is a one bit value, Violation, which is 1 if anoverlap security violation 254 is found and 0 otherwise.
  • The priority checker logic also selects the highest priority region from among the regions corresponding to the non-zero M_Rx inputs (lines 19-55). The output of this selection process is a three bit value, Rout, the number of the selected region.Rout_Mux 246, the output of thepriority checker logic 224, is formed by concatenating the violation value and Rout (line 57).
  • Theregion MUX 226 is multiplexer logic that selects which of the region settings registers 214 are to be used by thepermissions checker logic 232 to determine if a memory access request is allowed. The selector for theregion MUX 226 is the output value of thepriority checker logic 224,Rout_Mux 246. The inputs to theregion MUX 226 are the sets of initiator group registers and region attribute registers that correspond to each memory protection region and a hardwired noaccess input 222. The noaccess input 222 is selected as the region settings output 252 ofregion MUX 226 if anoverlap security violation 254 was detected by thepriority checker logic 224. Otherwise, the set of initiator group registers and region attribute registers corresponding to the region selected by thepriority checker logic 224 is selected as the region settings output 252.
  • Referring again tofigure 2A, thegroup encoding logic 226 receives as input the initiator id, MConnId, of the system initiator initiating a memory access request. Thegroup encoder logic 226 performs any translation necessary to convert the received initiator id into a four bit value, thegroup bit selector 248, which designates the bit of an initiator group register representing the system initiator.
  • Theattributes lookup logic 230 receives as input the attributes of a memory access request, i.e., MCmd and MReqInfo. As is illustrated in the pseudo code offigure 7, theattribute lookup logic 230 uses the relevant bits of MReqInfo and the read/write indication of MCmd to create a five bit value, MReqInfo_int that encodes the access attribute combination of the memory access request. The five bit MReqInfo_int value is then used to look up in an attributes encoding table (not specifically shown) the number of the bit in a region attribute register that corresponds to the access attribute combination (See Table 3). The output of theattributes lookup logic 230, theattribute bit selector 250, is the bit number from the attributes encoding table.
  • Figure 2C shows thepermissions checker logic 232 in more detail. Thepermissions checker logic 232 checks that the system initiator initiating a memory access request is included in one of the initiator groups defined for the memory protection region selected by theregion finder logic 220 and thepriority checker logic 224. If the initiator is included in both initiator groups of the memory protection region, thepermissions checker logic 232 signals agroup security violation 256 and initiates a security violation response. Thepermissions checker logic 232 also verifies that attributes of the memory access request are permissible attributes for the initiator group of which the initiator is a member. If this verification fails, the permissions checklogic 232 signals an memoryaccess security violation 258 and initiates a security violation response. Otherwise, thepermissions checker logic 232 allows the memory access.
  • Thepermissions checker logic 232 includesgroup verification logic 238, anattribute MUX 242 coupled to thegroup verification logic 238, and attributesverification logic 240 coupled to theattribute MUX 242. Thegroup verification logic 238 determines whether the initiator of a memory access request is included in one of the two initiator groups defined for the memory protection region identified by theregion finder logic 220 and thepriority checker logic 224. The group verification logic receives as input thegroup bit selector 248 from thegroup encoding logic 228 and the initiator group registers selected by theregion MUX 226. As is shown in pseudo code offigure 6, thegroup verification logic 238 reads the values of the bits in each of the initiator group registers that correspond to the group bit selector 248 (lines 1-2). Note that thegroup bit selector 248 is designated as SEL_Init_ID in this pseudo code. Theses two values are concatenated to create a two bit group selector value 262 (line 4) that constitutes the output of thegroup verification logic 238.
  • If both values are 1 (line 5), the initiator is included in both initiator groups and agroup security violation 256 is detected. Thegroup security violation 256 is logged in the error log registers 244 and thegroup selector value 262 is set to cause theattributes verification logic 240 to indicate a memory access security violation. If both values are 0, the initiator is not included in either initiator group and a memory security violation is detected. Thegroup selector value 262 is set to cause theattributes verification logic 240 to indicate a memoryaccess security violation 258.
  • Theattribute MUX 242 is multiplexer logic that selects which of the two region attribute registers selected by theregion MUX 226 is to be used by theattributes verification logic 240 to determine if a memory access request has permissible access attributes. Theattribute MUX 242 selects the region attribute register that corresponds to the initiator group identified by thegroup verification logic 238. The selector for theattribute MUX 242 is thegroup selector 262 from thegroup verification logic 238. The inputs to theattribute MUX 242 are the region attribute registers selected by theregion MUX 226, and hardwired nopermission group inputs 270. Thehardwired inputs 270 are selected as the group attributesoutput 260 of theattribute MUX 242 if agroup security violation 256 was detected by thegroup verification logic 238 or if thegroup verification logic 238 determined that the initiator was not included in either of the initiator groups defined for the memory protection region. Otherwise, the region attribute register corresponding to the initiator group including the initiator is selected as the group attributesoutput 260.
  • Theattributes verification logic 240 determines whether the access attributes of a memory access request are permissible attributes for the memory protection region addressed by the memory access request. Theattributes verification logic 240 receives as input theattribute bit selector 250 generated by theattributes lookup logic 230 and the group attributesoutput 260 of theattribute MUX 242. As is shown in the pseudo code offigure 8, if the bit indicated by theattribute bit selector 250 is set to one in the group attributes, theattributes verification logic 240 allows the memory access request (lines 1-4). Otherwise, theattributes verification logic 240 detects a memory access security violation 258 (lines 6-8) and initiates a security violation response. Note that in this pseudo code, Req_Info represents the group attributesoutput 260 and Sel_Attribute represents theattribute bit selector 250.
  • Figure 9 is a flow chart of a method for controlling access to a target memory in accordance with one or more embodiments. Although the actions of this method are presented and described serially, one of ordinary skill in the art will appreciate that the order may differ and/or some of the actions may occur in parallel. The method begins with the configuration of one or more memory protection regions in a target memory (block 900). Each memory protection region is configured with a start and end address of a memory range within the target memory. The configured memory protection regions may overlap and are assigned a security priority level that may be used to determine which memory protection region is selected for access validation when a memory access request addresses a memory location that is configured in more than one region. In addition, two groups of system initiators that are permitted to access the memory protection region are defined. Two sets of permissible access attribute combinations are also defined, one set for each of the two groups of system initiators.
  • Once one or more memory protection regions are configured, all memory access requests that address the target memory are checked to determine if the access request is to be allowed (blocks 902-916). Each memory access request includes information identifying the system initiator making the request, the address of the memory location in the target memory space to be accessed, and a combination of access attributes. When a memory access request addressing the target memory is received from an system initiator (block 902), the memory protection region or regions that include the address of the memory access request are determined (block 904). A check is made to determine if there is an overlap security violation (block 906). If at least two memory protection regions include the address, and share the highest security priority level of any region including the address, an overlap security violation is indicated and a security violation response is executed (block 916).
  • If there is no overlap security violation, the highest priority region including the address is determined (block 908). A check is made to determine if the system initiator making the memory access request is included in either of the two groups of system initiators that are allowed to access the selected memory protection region (block 910). If the system initiator is not included in either group or if it is included in both groups, a group security violation is detected and a security violation response is executed (block 916).
  • If there is no group security violation, the combination of access attributes of the memory access request is checked against the set of permissible access attribute combinations defined for the group of system initiators including the system initiator making the request (block 912). If the combination of access attributes is included in the set of permissible access attribute combinations, the memory access request is allowed (block 914). Otherwise, a memory access security violation is indicated and a security violation response is executed (block 916).
  • The above discussion is meant to be illustrative of the principles and various embodiments of the present invention. Numerous variations and modifications will become apparent to those skilled in the art once the above disclosure is fully appreciated. It is intended that the following claims be interpreted to embrace all such variations and modifications.

Claims (14)

  1. A method for controlling access to a target memory, the method comprising:
    configuring a plurality of memory protection regions (904) in a target memory (900) of a system, the system comprising a plurality of system initiators (902), wherein the configuring comprises:
    defining a first initiator group (912) with a first set of access attribute combinations and a second initiator group (914) with a second set of access attribute combinations for each memory protection region (904) of the plurality of memory protection regions, wherein the first (912) and second (914) initiator groups comprise one or more of the plurality of system initiators (902) and wherein the first and second set of access attribute combinations include a security level attribute indicating whether an access is public or secure;
    automatically assigning a default security priority level to each of the memory protection regions;
    locking one or more memory protection region of the plurality of memory protection regions; and
    assigning a second security priority level that is higher in priority than the assigned default security priority level to the one or more locked memory protection regions, the second security priority level having a first value if the memory protection region (904) is being locked by a public access and a second value if the memory protection region (904) is being locked by a secure access, wherein once locked, the security priority level of a memory protection region (904) may only be changed by a secure access;
    receiving a memory access request from a system initiator of the plurality of system initiators (902), the memory access request comprising an address in the target memory and a combination of access attributes; and
    if the address is in a first memory protection region of the plurality of memory protection regions (904), allowing the memory access request if the system initiator is in the first initiator group (912) of the first memory protection region and the combination of access attributes is in the first set of access attribute combinations of the first initiator group; and
    allowing the memory access request if the system initiator is in the second initiator group of the first memory protection region and the combination of access attributes is in a second set of access attribute combinations of the second initiator group.
  2. The method of claim 1, further comprising:
    executing a security violation response if the system initiator is in one of the initiator groups and the combination of access attributes is not in the set of access attribute combinations of the initiator group comprising the system initiator.
  3. The method of claim 1, further comprising:
    if the address is in the first memory protection region and a second memory protection region of the plurality of memory protection regions and the security priority level of the first memory protection region is higher than the security priority level of the second memory protection region,
    allowing the memory access request if the system initiator is in the first initiator group and the combination of access attributes is in the first set of access attribute combinations; and
    allowing the memory access request if the system initiator is in the second initiator group and the combination of access attributes is in the second set of access attribute combinations.
  4. The method of any one of claims 1-3, further comprising:
    executing a security violation response if the address is in the first memory protection region and a second memory protection region of the plurality of memory protection regions and the security priority level of the first memory protection region is the same as the security priority level of the second memory protection region.
  5. The method of any one of claims 1 to 4, wherein the configuring a plurality of memory protection regions is performed in a security firewall associated with the target memory.
  6. The method of claim 5, wherein the security firewall is a hardware apparatus.
  7. The method of any one of claims 1 to 6, wherein an access attribute is one of: a security level attribute indicating whether the access is public or secure; a mode attribute indicating whether the access is functional or debug mode; a privilege attribute indicating whether the access is made in user or supervisor mode; a data/opcode attribute indicating whether the access is a data transfer or an opcode fetch, and a read/write attribute indicating whether the access is a read request or a write request.
  8. A memory security firewall apparatus (200), comprising:
    region configuration logic (264), wherein the region configuration logic is operable to:
    define a plurality of memory protection regions of a target memory (118, 120, 146, 148) of a system, each memory protection region having a first initiator group with a first set of access attribute combinations, and a second initiator group with a second set of access attribute combinations, wherein the first and second set of access attribute combinations include a security level attribute indicating whether an access is public or secure;
    to automatically assign a default security priority level to each of the memory protection regions;
    to lock one or more memory protection region of the plurality of memory protection regions; and
    to assign a second security priority level that is higher in priority than the assigned default security priority level to the one or more locked memory protection regions, the second security priority level having a first value if the memory protection region (904) is being locked by a public access and a second value if the memory protection region (904) is being locked by a secure access, wherein once locked, the security priority level of a memory protection region (904) may only be changed by a secure access;
    region selection logic (266) coupled to the region configuration logic (264) and coupled to an interconnect (116) of the system to receive an address of a memory access request from a system initiator, wherein the region selection logic (266) is operable to select a memory protection region of the plurality of memory protection regions that includes the address; and
    access validation logic (268, 228, 230, 232) coupled to the region selection logic (266) and coupled to the interconnect (116) to receive an initiator id of the system initiator and to receive a combination of access attributes of the memory access request, wherein the access validation logic (268) is operable to allow the requested memory access if the system initiator is in the first initiator group of the memory protection region selected by the region selection logic (266), and the combination of access attributes is in the first set of access combinations, or if the system initiator is in the second initiator group of the memory protection region selected by the region selection logic (266), and the combination of access attributes is in the second set of access combinations.
  9. The memory security firewall apparatus of claim 10, wherein the access validation logic (268) is operable to block the requested memory access if the system initiator is in one of the first and second initiator groups and the combination of access attributes is not in the set of access attribute combinations of the initiator group comprising the system initiator.
  10. The memory security firewall apparatus of claim 8, wherein the access validation logic (268) is operable to determine whether the address is in the first memory protection region and the second memory protection region of the plurality of memory protection regions, and if the address is included in both the first and second memory protection regions and the security priority level of the first memory protection region is higher than the security priority level of the second memory protection region, to block the memory access request unless the system initiator is in the first initiator group and the combination of access attributes is in the first set of access attribute combinations, or the system initiator is in the second initiator group and the combination of access attributes is in the second set of access attribute combinations.
  11. The memory security firewall apparatus of claim 8, wherein the access validation logic (268) is further operable to block the memory access request if the address is in the first memory protection region and a second memory protection region of the plurality of memory protection regions and the security priority level of the first memory protection region is the same as the security priority level of the second memory protection region.
  12. The memory security firewall apparatus of any of claims 9, 10 or 11, wherein the access validation logic (268) is further operable to cause the execution of a security violation response if a memory access request is blocked.
  13. The memory security system of claim 12, wherein execution of a security violation response comprises selecting at least one response option of a plurality of response options, the plurality of response options comprising preventing execution of an instruction within a processor core of the system, asserting an interrupt signal to the processor core wherein security response software is executed in response to the asserted interrupt signal, asserting a warm reset signal to the processor core, causing the processor core to enter debug mode, and activating an attack indicator.
  14. A system, comprising:
    a plurality of system initiators coupled to an interconnect (116) of the system;
    a target memory (118, 120, 146, 148) coupled to the interconnect (116); and
    a memory security firewall apparatus as recited in any of claims 8 to 13 coupled to the interconnect (116).
EP05291479A2005-07-072005-07-07Method and system for a multi-sharing memory access controlCeasedEP1742152B1 (en)

Priority Applications (3)

Application NumberPriority DateFiling DateTitle
EP05291479AEP1742152B1 (en)2005-07-072005-07-07Method and system for a multi-sharing memory access control
US11/272,532US7853997B2 (en)2005-07-072005-11-11Method and system for a multi-sharing security firewall
PCT/US2006/026344WO2007008595A2 (en)2005-07-072006-07-07Method and system for a multi-sharing security firewall

Applications Claiming Priority (1)

Application NumberPriority DateFiling DateTitle
EP05291479AEP1742152B1 (en)2005-07-072005-07-07Method and system for a multi-sharing memory access control

Publications (2)

Publication NumberPublication Date
EP1742152A1 EP1742152A1 (en)2007-01-10
EP1742152B1true EP1742152B1 (en)2012-09-12

Family

ID=35432467

Family Applications (1)

Application NumberTitlePriority DateFiling Date
EP05291479ACeasedEP1742152B1 (en)2005-07-072005-07-07Method and system for a multi-sharing memory access control

Country Status (2)

CountryLink
US (1)US7853997B2 (en)
EP (1)EP1742152B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US12437807B2 (en)2023-07-272025-10-07Texas Instruments IncorporatedStoring and retrieving access control rules in an SOC

Families Citing this family (49)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US6260082B1 (en)*1998-12-232001-07-10Bops, Inc.Methods and apparatus for providing data transfer control
US7840763B2 (en)*2004-03-122010-11-23Sca Technica, Inc.Methods and systems for achieving high assurance computing using low assurance operating systems and processes
US7660412B1 (en)*2005-12-092010-02-09Trend Micro IncorporatedGeneration of debug information for debugging a network security appliance
US8719526B2 (en)*2006-01-052014-05-06Broadcom CorporationSystem and method for partitioning multiple logical memory regions with access control by a central control agent
US20070226795A1 (en)*2006-02-092007-09-27Texas Instruments IncorporatedVirtual cores and hardware-supported hypervisor integrated circuits, systems, methods and processes of manufacture
US8332925B2 (en)2006-08-082012-12-11A10 Networks, Inc.System and method for distributed multi-processing security gateway
US8079077B2 (en)*2006-08-082011-12-13A10 Networks, Inc.System and method for distributed multi-processing security gateway
EP1912149A1 (en)*2006-10-092008-04-16Texas Instruments FranceMonitor mode integrity verification
US8307416B2 (en)2007-01-032012-11-06Texas Instruments IncorporatedData structures for use in firewalls
US20080208760A1 (en)*2007-02-262008-08-2814 Commerce Inc.Method and system for verifying an electronic transaction
US8051263B2 (en)*2007-05-042011-11-01Atmel CorporationConfigurable memory protection
TW200929974A (en)*2007-11-192009-07-01IbmSystem and method for performing electronic transactions
US8650440B2 (en)2008-01-162014-02-11Freescale Semiconductor, Inc.Processor based system having ECC based check and access validation information means
US7979658B2 (en)*2008-03-252011-07-12Spansion LlcSecure management of memory regions in a memory
US8555015B2 (en)*2008-10-232013-10-08Maxim Integrated Products, Inc.Multi-layer content protecting microcontroller
US8650629B2 (en)*2009-12-162014-02-11Intel CorporationInterface logic for a multi-core system-on-a-chip (SoC)
US8949551B2 (en)2011-02-232015-02-03Freescale Semiconductor, Inc.Memory protection unit (MPU) having a shared portion and method of operation
US9116845B2 (en)*2011-02-232015-08-25Freescale Semiconductor, Inc.Remote permissions provisioning for storage in a cache and device therefor
US8639895B2 (en)2011-07-142014-01-28Freescale Semiconductor, Inc.Systems and methods for memory region descriptor attribute override
US20130111168A1 (en)*2011-10-272013-05-02Freescale Semiconductor, Inc.Systems and methods for semaphore-based protection of shared system resources
US9118618B2 (en)2012-03-292015-08-25A10 Networks, Inc.Hardware-based packet editor
US8803548B2 (en)*2012-04-192014-08-12Microsemi SoC CorporationApparatus and methods for a tamper resistant bus for secure lock bit transfer
US9596286B2 (en)2012-05-252017-03-14A10 Networks, Inc.Method to process HTTP header with hardware assistance
KR101692751B1 (en)2012-09-252017-01-04에이10 네트워크스, 인코포레이티드Load distribution in data networks
US10021174B2 (en)2012-09-252018-07-10A10 Networks, Inc.Distributing service sessions
US9129071B2 (en)2012-10-242015-09-08Texas Instruments IncorporatedCoherence controller slot architecture allowing zero latency write commit
US9063891B2 (en)*2012-12-192015-06-23Advanced Micro Devices, Inc.Secure computer system for preventing access requests to portions of system memory by peripheral devices and/or processor cores
KR20140083530A (en)*2012-12-262014-07-04삼성전자주식회사System on chip including boot shell debugging hardware and driving method thereof
US9092647B2 (en)*2013-03-072015-07-28Freescale Semiconductor, Inc.Programmable direct memory access channels
US9298911B2 (en)*2013-03-152016-03-29Intel CorporationMethod, apparatus, system, and computer readable medium for providing apparatus security
FR3005179B1 (en)*2013-04-252015-05-15Oberthur Technologies METHOD AND SYSTEM FOR SIMULATING THE EFFECTS OF ATTACK ON A COMPUTER CODE
US10027761B2 (en)2013-05-032018-07-17A10 Networks, Inc.Facilitating a secure 3 party network session by a network device
DE102013016114B3 (en)2013-09-262015-02-05Infineon Technologies Ag Bus system and method for protected memory accesses
US9317452B1 (en)*2013-11-182016-04-19Amazon Technologies, Inc.Selective restrictions to memory mapped registers using an emulator
US9307409B2 (en)*2013-12-272016-04-05Intel CorporationApparatus, system and method of protecting domains of a multimode wireless radio transceiver
US10020979B1 (en)2014-03-252018-07-10A10 Networks, Inc.Allocating resources in multi-core computing environments
US20150293862A1 (en)*2014-04-102015-10-15Andes Technology CorporationHardware configuration apparatus
US9806943B2 (en)2014-04-242017-10-31A10 Networks, Inc.Enabling planned upgrade/downgrade of network devices without impacting network sessions
US11200345B2 (en)*2015-07-292021-12-14Hewlett Packard Enterprise Development LpFirewall to determine access to a portion of memory
IT201700050153A1 (en)*2017-05-092018-11-09St Microelectronics Srl SAFETY HARDWARE MODULE, RELATED PROCESSING SYSTEM, INTEGRATED CIRCUIT AND DEVICE
US10560428B2 (en)*2017-08-172020-02-11Texas Instruments IncorporatedFlexible hybrid firewall architecture
US11036654B2 (en)*2018-04-142021-06-15Microsoft Technology Licensing, LlcNOP sled defense
US11115383B2 (en)*2018-05-242021-09-07Texas Instruments IncorporatedSystem on chip firewall memory architecture
US11080432B2 (en)*2018-07-302021-08-03Texas Instruments IncorporatedHardware countermeasures in a fault tolerant security architecture
US11210095B2 (en)*2018-08-242021-12-28Texas Instruments IncorporatedResource allocation in a multi-processor system
FR3090923B1 (en)*2018-12-212021-09-17Thales Sa Generalized control device for memory transfers for concurrent access on a system on a chip
FR3100901B1 (en)*2019-09-122021-08-27Stmicroelectronics Grand Ouest Sas Memory protection system
CN112528345B (en)*2019-09-182025-02-07深圳引望智能技术有限公司 Communication method, device, computer readable storage medium and chip
US20240056448A1 (en)*2023-09-292024-02-15Intel CorporationTranslation Circuitry for Access Control Identifier Mechanisms

Family Cites Families (30)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US4104721A (en)*1976-12-301978-08-01International Business Machines CorporationHierarchical security mechanism for dynamically assigning security levels to object programs
US5280614A (en)*1990-08-211994-01-18International Business Machines CorporationApparatus and method for controlling access to data using domains
US5845129A (en)*1996-03-221998-12-01Philips Electronics North America CorporationProtection domains in a single address space
US5920690A (en)*1997-08-111999-07-06Motorola, Inc.Method and apparatus for providing access protection in an integrated circuit
US6212599B1 (en)*1997-11-262001-04-03Intel CorporationMethod and apparatus for a memory control system including a secondary controller for DRAM refresh during sleep mode
JP2000113119A (en)*1998-09-302000-04-21Fujitsu Ltd IC card processing device
DE19925195A1 (en)*1999-06-012000-12-07Giesecke & Devrient GmbhMemory management method for monitoring access to data or programs e.g. for chip card, by allocating attributes to memory addresses to permit or deny access
WO2001009595A2 (en)*1999-08-022001-02-08Emerald Biostructures, Inc.Method and system for creating a crystallization results database
US6324537B1 (en)*1999-09-302001-11-27M-Systems Flash Disk Pioneers Ltd.Device, system and method for data access control
GB2356469B (en)*1999-11-172001-12-12Motorola LtdPortable data carrier memory management system and method
US6714939B2 (en)*2001-01-082004-03-30Softface, Inc.Creation of structured data from plain text
US20060265746A1 (en)*2001-04-272006-11-23Internet Security Systems, Inc.Method and system for managing computer security information
JP2002342166A (en)*2001-05-152002-11-29Fujitsu LtdInformation processor and method for controlling access level
JP2002353960A (en)*2001-05-302002-12-06Fujitsu Ltd Code execution device and code distribution method
US6775750B2 (en)2001-06-292004-08-10Texas Instruments IncorporatedSystem protection map
EP1331539B1 (en)*2002-01-162016-09-28Texas Instruments FranceSecure mode for processors supporting MMU and interrupts
US6901401B2 (en)*2002-03-212005-05-31International Business Machines CorporationSystem and method for database integrity via local database lockout
US7571318B2 (en)*2002-03-272009-08-04Advanced Micro Devices, Inc.Method and apparatus for improved security in a data processor
US7478235B2 (en)*2002-06-282009-01-13Microsoft CorporationMethods and systems for protecting data in USB systems
JP4582682B2 (en)*2002-07-082010-11-17株式会社日立製作所 Security wall system
GB2396713B (en)*2002-11-182005-09-14Advanced Risc Mach LtdApparatus and method for controlling access to a memory unit
US7171539B2 (en)*2002-11-182007-01-30Arm LimitedApparatus and method for controlling access to a memory
GB2396930B (en)*2002-11-182005-09-07Advanced Risc Mach LtdApparatus and method for managing access to a memory
GB2396034B (en)*2002-11-182006-03-08Advanced Risc Mach LtdTechnique for accessing memory in a data processing apparatus
KR101015456B1 (en)*2002-11-182011-02-22에이알엠 리미티드 Access control to memory by device
US7392378B1 (en)*2003-03-192008-06-24Verizon Corporate Services Group Inc.Method and apparatus for routing data traffic in a cryptographically-protected network
EP1619572A1 (en)*2004-07-232006-01-25Texas Instruments IncorporatedSystem and method of identifying and preventing security violations within a computing system
US20060117174A1 (en)*2004-11-292006-06-01Arcadyan Technology CorporationMethod of auto-configuration and auto-prioritizing for wireless security domain
US8849908B2 (en)*2005-10-132014-09-30Kaydon A. StanzioneInternet based data, voice and video alert notification communications system
US8132247B2 (en)*2007-08-032012-03-06Citrix Systems, Inc.Systems and methods for authorizing a client in an SSL VPN session failover environment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US12437807B2 (en)2023-07-272025-10-07Texas Instruments IncorporatedStoring and retrieving access control rules in an SOC

Also Published As

Publication numberPublication date
EP1742152A1 (en)2007-01-10
US7853997B2 (en)2010-12-14
US20070011419A1 (en)2007-01-11

Similar Documents

PublicationPublication DateTitle
EP1742152B1 (en)Method and system for a multi-sharing memory access control
EP1708071B1 (en)Method and system for detection and neutralization of buffer overflow attacks
US8307416B2 (en)Data structures for use in firewalls
US8220045B2 (en)System and method of identifying and preventing security violations within a computing system
US12346488B2 (en)Methods and systems to restrict usage of a DMA channel
US10102400B2 (en)Method and system for preventing unauthorized processor mode switches
US8959311B2 (en)Methods and systems involving secure RAM
US20070067826A1 (en)Method and system for preventing unsecure memory accesses
EP1331539A2 (en)Secure mode for processors supporting MMU and interrupts
US20140223052A1 (en)System and method for slave-based memory protection
Mukhtar et al.Architectures for Security: A comparative analysis of hardware security features in Intel SGX and ARM TrustZone
EP1912149A1 (en)Monitor mode integrity verification
US7467285B2 (en)Maintaining shadow page tables in a sequestered memory region
US8635685B2 (en)Value generator coupled to firewall programmable qualifier data structure logics
WO2008030727A2 (en)Access control of memory space in microprocessor systems
CN110276214B (en)Dual-core trusted SOC architecture and method based on slave access protection
EP1843250B1 (en)System and method for checking the integrity of computer program code
CN119271580A (en) Method, system and electronic device for determining memory access rights of device
WO2007008595A2 (en)Method and system for a multi-sharing security firewall
WO2008086456A2 (en)System and method for preemptive masking and unmasking of non-secure processor interrupts
WO2008045824A2 (en)Monitor mode integrity verification

Legal Events

DateCodeTitleDescription
PUAIPublic reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text:ORIGINAL CODE: 0009012

AKDesignated contracting states

Kind code of ref document:A1

Designated state(s):AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR

AXRequest for extension of the european patent

Extension state:AL BA HR MK YU

17PRequest for examination filed

Effective date:20070710

17QFirst examination report despatched

Effective date:20070809

AKXDesignation fees paid

Designated state(s):DE FR GB

REGReference to a national code

Ref country code:DE

Ref legal event code:R079

Ref document number:602005036066

Country of ref document:DE

Free format text:PREVIOUS MAIN CLASS: G06F0012000000

Ipc:G06F0012140000

GRAPDespatch of communication of intention to grant a patent

Free format text:ORIGINAL CODE: EPIDOSNIGR1

RIC1Information provided on ipc code assigned before grant

Ipc:G06F 12/14 20060101AFI20120319BHEP

GRASGrant fee paid

Free format text:ORIGINAL CODE: EPIDOSNIGR3

GRAA(expected) grant

Free format text:ORIGINAL CODE: 0009210

AKDesignated contracting states

Kind code of ref document:B1

Designated state(s):DE FR GB

REGReference to a national code

Ref country code:GB

Ref legal event code:FG4D

REGReference to a national code

Ref country code:DE

Ref legal event code:R096

Ref document number:602005036066

Country of ref document:DE

Effective date:20121108

PLBENo opposition filed within time limit

Free format text:ORIGINAL CODE: 0009261

STAAInformation on the status of an ep patent application or granted ep patent

Free format text:STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26NNo opposition filed

Effective date:20130613

REGReference to a national code

Ref country code:DE

Ref legal event code:R097

Ref document number:602005036066

Country of ref document:DE

Effective date:20130613

REGReference to a national code

Ref country code:FR

Ref legal event code:PLFP

Year of fee payment:12

REGReference to a national code

Ref country code:FR

Ref legal event code:PLFP

Year of fee payment:13

REGReference to a national code

Ref country code:FR

Ref legal event code:PLFP

Year of fee payment:14

PGFPAnnual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code:FR

Payment date:20210623

Year of fee payment:17

PGFPAnnual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code:GB

Payment date:20210623

Year of fee payment:17

PGFPAnnual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code:DE

Payment date:20210622

Year of fee payment:17

REGReference to a national code

Ref country code:DE

Ref legal event code:R119

Ref document number:602005036066

Country of ref document:DE

GBPCGb: european patent ceased through non-payment of renewal fee

Effective date:20220707

PG25Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code:FR

Free format text:LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date:20220731

PG25Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code:GB

Free format text:LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date:20220707

Ref country code:DE

Free format text:LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date:20230201
[8]ページ先頭
©2009-2025 Movatter.jp